@aifabrix/builder 2.42.0 → 2.43.0

package/lib/app/readme.js

@@ -150,6 +150,7 @@ function generateReadmeMd(appName, config) {
     const datasources = Array.isArray(config.datasources) && config.datasources.length > 0
       ? config.datasources
       : buildExternalDatasourcePlaceholders(systemKey, config.datasourceCount, fileExt);
+    const authType = config.authentication?.type || config.authentication?.method || config.authType;
     return generateExternalReadmeContent({
       appName,
       systemKey,
@@ -157,7 +158,8 @@ function generateReadmeMd(appName, config) {
       displayName: config.systemDisplayName,
       description: config.systemDescription,
       fileExt: config.fileExt,
-      datasources
+      datasources,
+      authType
     });
   }
   const context = buildReadmeContext(appName, config);

package/lib/app/register.js

@@ -150,7 +150,9 @@ async function registerApplication(appKey, options = {}) {
   logger.log(chalk.blue('📋 Registering application...\n'));
 
   const { resolveControllerUrl } = require('../utils/controller-url');
-  const { resolveEnvironment } = require('../core/config');
+  const config = require('../core/config');
+  await config.ensureSecretsEncryptionKey();
+  const { resolveEnvironment } = config;
 
   // Load application config
   const { variables, created } = await loadVariablesYaml(appKey);

package/lib/app/rotate-secret.js

@@ -339,6 +339,9 @@ async function executeRotation(appKey, actualControllerUrl, environment, token)
 async function rotateSecret(appKey, _options = {}) {
   logger.log(chalk.yellow('⚠️  This will invalidate the old ClientSecret!\n'));
 
+  const { ensureSecretsEncryptionKey } = require('../core/config');
+  await ensureSecretsEncryptionKey();
+
   const { controllerUrl, environment } = await resolveControllerAndEnvironment();
   const config = await getConfig();
   const { token, actualControllerUrl } = await getRotationAuthToken(controllerUrl, config);

package/lib/cli/setup-app.js

@@ -84,14 +84,14 @@ async function handleCreateCommand(appName, options) {
   const wizardOptions = { app: appName, ...options };
   const normalizedOptions = normalizeExternalOptions(options);
 
-  const isExternalType = options.type === 'external';
+  const isExternalType = options.type === 'external' || !options.type;
   const isNonInteractive = process.stdin && process.stdin.isTTY === false;
 
   if (isExternalType && !options.wizard && isNonInteractive) {
     validateNonInteractiveExternalOptions(normalizedOptions);
   }
 
-  const shouldUseWizard = options.wizard && (options.type === 'external' || (!options.type && validTypes.includes('external')));
+  const shouldUseWizard = options.wizard && (options.type === 'external' || !options.type);
   if (shouldUseWizard) {
     const { handleWizard } = require('../commands/wizard');
     await handleWizard(wizardOptions);
@@ -110,7 +110,7 @@ function setupCreateCommand(program) {
     .option('-a, --authentication', 'Requires authentication/RBAC')
     .option('-l, --language <lang>', 'Runtime language (typescript/python)')
     .option('-t, --template <name>', 'Template to use (e.g., miso-controller, keycloak)')
-    .option('--type <type>', 'Application type (webapp, api, service, functionapp, external)', 'webapp')
+    .option('--type <type>', 'Application type (webapp, api, service, functionapp, external)', 'external')
     .option('--app', 'Generate minimal application files (package.json, index.ts or requirements.txt, main.py)')
     .option('-g, --github', 'Generate GitHub Actions workflows')
     .option('--github-steps <steps>', 'Extra GitHub workflow steps (comma-separated, e.g., npm,test)')
@@ -140,12 +140,12 @@ Examples:
   $ aifabrix wizard my-integration --silent  Run headless with integration/my-integration/wizard.yaml (no prompts)
   $ aifabrix wizard -a my-integration   Same as above (app name set)
   $ aifabrix wizard --config wizard.yaml  Run headless from a wizard config file
-  $ aifabrix wizard hubspot-test-v2 --debug  Enable debug output and save debug manifests on validation failure
+  $ aifabrix wizard hubspot-test --debug  Enable debug output and save debug manifests on validation failure
 
 Config path: When appName is provided, integration/<appName>/wizard.yaml is used for load/save and error.log.
 To change settings after a run, edit that file and run "aifabrix wizard <app>" again.
 Headless config must include: appName, mode (create-system|add-datasource), source (type + filePath/url/platform).
-See integration/hubspot/wizard-hubspot-e2e.yaml for an example.`;
+See integration/hubspot-test/wizard-hubspot-e2e.yaml for an example.`;
   program.command('wizard [appName]')
     .description('Create or extend external systems (OpenAPI, MCP, or known platforms like HubSpot) via guided steps or a config file')
     .option('-a, --app <app>', 'Application name (synonym for positional appName)')

package/lib/cli/setup-auth.js

@@ -60,23 +60,31 @@ function setupAuthSubcommands(program) {
       process.exit(1);
     }
   };
-  const auth = program.command('auth').description('Authentication commands');
-  auth.command('status')
-    .description('Display authentication status for current controller and environment')
-    .option('--validate', 'Exit with code 1 when not authenticated (for scripted use, e.g. manual test setup)')
-    .action(authStatusHandler);
-  auth.command('config')
-    .description('Configure authentication settings (controller, environment)')
-    .option('--set-controller <url>', 'Set default controller URL')
-    .option('--set-environment <env>', 'Set default environment')
+  const auth = program.command('auth')
+    .description('Authentication status and config (controller, environment)')
+    .option('--set-controller <url>', 'Set default controller URL in config')
+    .option('--set-environment <env>', 'Set default environment in config')
     .action(async(options) => {
       try {
-        await handleAuthConfig(options);
+        const setController = options.setController || options['set-controller'];
+        const setEnvironment = options.setEnvironment || options['set-environment'];
+        if (setController || setEnvironment) {
+          await handleAuthConfig({
+            setController,
+            setEnvironment
+          });
+          return;
+        }
+        await handleAuthStatus(options);
       } catch (error) {
-        handleCommandError(error, 'auth config');
+        handleCommandError(error, 'auth');
         process.exit(1);
       }
     });
+  auth.command('status')
+    .description('Display authentication status for current controller and environment')
+    .option('--validate', 'Exit with code 1 when not authenticated (for scripted use, e.g. manual test setup)')
+    .action(authStatusHandler);
 }
 
 /**

package/lib/cli/setup-dev.js

@@ -73,51 +73,26 @@ async function handleSetFormat(format) {
 }
 
 /**
- * Register dev config and set-id commands.
+ * Register dev show and set-id commands.
  * @param {Command} dev - dev subcommand group
  */
-function setupDevConfigCommands(dev) {
+function setupDevShowAndSetId(dev) {
   dev
-    .command('config')
-    .description('Show or set developer configuration')
-    .option('--set-id <id>', 'Set developer ID')
-    .action(async(options) => {
+    .command('show')
+    .description('Show developer configuration (ports and config vars)')
+    .action(async() => {
       try {
-        const setIdValue = options.setId || options['set-id'];
-        if (setIdValue) {
-          const digitsOnly = /^[0-9]+$/.test(setIdValue);
-          if (!digitsOnly) {
-            throw new Error('Developer ID must be a non-negative digit string (0 = default infra, > 0 = developer-specific)');
-          }
-          await config.setDeveloperId(setIdValue);
-          process.env.AIFABRIX_DEVELOPERID = setIdValue;
-          logger.log(chalk.green(`✓ Developer ID set to ${setIdValue}`));
-          await displayDevConfig(setIdValue);
-          return;
-        }
         const devId = await config.getDeveloperId();
         await displayDevConfig(devId);
       } catch (error) {
-        handleCommandError(error, 'dev config');
-        process.exit(1);
-      }
-    });
-
-  dev
-    .command('set-format <format>')
-    .description('Set default output format for download/convert (json | yaml); used when --format not passed')
-    .action(async(format) => {
-      try {
-        await handleSetFormat(format);
-      } catch (error) {
-        handleCommandError(error, 'dev set-format');
+        handleCommandError(error, 'dev show');
         process.exit(1);
       }
     });
 
   dev
     .command('set-id <id>')
-    .description('Set developer ID (convenience alias for "dev config --set-id")')
+    .description('Set developer ID (0 = default infra, > 0 = developer-specific)')
     .action(async(id) => {
       try {
         const digitsOnly = /^[0-9]+$/.test(id);
@@ -135,6 +110,61 @@ function setupDevConfigCommands(dev) {
     });
 }
 
+/**
+ * Register dev set-env-config, set-home and set-format commands.
+ * @param {Command} dev - dev subcommand group
+ */
+function setupDevPathAndFormatCommands(dev) {
+  dev
+    .command('set-env-config <filePath>')
+    .description('Set aifabrix-env-config path in config.yaml (pass empty to clear; path is not checked for existence)')
+    .action(async(filePath) => {
+      try {
+        const trimmed = (filePath || '').trim();
+        await config.setAifabrixEnvConfigPath(trimmed);
+        logger.log(trimmed === '' ? chalk.green('✓ Env config path cleared') : chalk.green(`✓ Env config path set to ${trimmed}`));
+      } catch (error) {
+        handleCommandError(error, 'dev set-env-config');
+        process.exit(1);
+      }
+    });
+
+  dev
+    .command('set-home <path>')
+    .description('Set aifabrix-home path in config.yaml (pass empty string to clear)')
+    .action(async(homePath) => {
+      try {
+        const trimmed = (homePath || '').trim();
+        await config.setAifabrixHomeOverride(trimmed);
+        logger.log(trimmed === '' ? chalk.green('✓ Home path cleared') : chalk.green(`✓ Home path set to ${trimmed}`));
+      } catch (error) {
+        handleCommandError(error, 'dev set-home');
+        process.exit(1);
+      }
+    });
+
+  dev
+    .command('set-format <format>')
+    .description('Set default output format for download/convert (json | yaml); used when --format not passed')
+    .action(async(format) => {
+      try {
+        await handleSetFormat(format);
+      } catch (error) {
+        handleCommandError(error, 'dev set-format');
+        process.exit(1);
+      }
+    });
+}
+
+/**
+ * Register dev show, set-id, set-env-config, set-home and set-format commands.
+ * @param {Command} dev - dev subcommand group
+ */
+function setupDevConfigCommands(dev) {
+  setupDevShowAndSetId(dev);
+  setupDevPathAndFormatCommands(dev);
+}
+
 /**
  * Register dev init and refresh commands.
  * @param {Command} dev - dev subcommand group

package/lib/cli/setup-environment.js

@@ -1,5 +1,5 @@
 /**
- * CLI environment deployment command setup (environment deploy, env deploy).
+ * CLI environment deployment command setup (env deploy).
  *
  * @fileoverview Environment command definitions for AI Fabrix Builder CLI
  * @author AI Fabrix Team
@@ -18,35 +18,20 @@ function setupEnvironmentCommands(program) {
       const environmentDeploy = require('../deployment/environment');
       await environmentDeploy.deployEnvironment(envKey, options);
     } catch (error) {
-      handleCommandError(error, 'environment deploy');
+      handleCommandError(error, 'env deploy');
       process.exit(1);
     }
   };
 
-  const environment = program
-    .command('environment')
-    .description('Deploy and manage Miso Controller environments (dev, tst, pro, miso)');
-
   const deployExamples = `
 Examples:
-  $ aifabrix environment deploy dev
-  $ aifabrix environment deploy tst --preset m
-  $ aifabrix environment deploy dev --config ./env-config.json --no-poll`;
-
-  environment
-    .command('deploy <env>')
-    .description('Deploy environment infrastructure in Miso Controller (run before deploy <app>)')
-    .option('--config <file>', 'Environment configuration file (optional if --preset is used)')
-    .option('--preset <size>', 'Environment size preset: s, m, l, xl (default: s)', 's')
-    .option('--skip-validation', 'Skip environment validation')
-    .option('--poll', 'Poll for deployment status', true)
-    .option('--no-poll', 'Do not poll for status')
-    .addHelpText('after', deployExamples)
-    .action(deployEnvHandler);
+  $ aifabrix env deploy dev
+  $ aifabrix env deploy tst --preset m
+  $ aifabrix env deploy dev --config ./env-config.json --no-poll`;
 
   const env = program
     .command('env')
-    .description('Deploy and manage Miso Controller environments (alias for environment)');
+    .description('Deploy and manage Miso Controller environments (dev, tst, pro, miso)');
 
   env
     .command('deploy <env>')

package/lib/cli/setup-infra.js

@@ -17,6 +17,7 @@ const { resolveControllerUrl } = require('../utils/controller-url');
 const { handleLogin } = require('../commands/login');
 const { handleUpMiso } = require('../commands/up-miso');
 const { handleUpDataplane } = require('../commands/up-dataplane');
+const { cleanBuilderAppDirs } = require('../commands/up-common');
 
 /**
  * Persists optional service flag to config when explicitly set.
@@ -108,8 +109,12 @@ function setupUpPlatformCommand(program) {
     .option('-r, --registry <url>', 'Override registry for all apps (e.g. myacr.azurecr.io)')
     .option('--registry-mode <mode>', 'Override registry mode (acr|external)')
     .option('-i, --image <key>=<value>', 'Override image (e.g. keycloak=myreg/k:v1, miso-controller=myreg/m:v1, dataplane=myreg/d:v1); can be repeated', (v, prev) => (prev || []).concat([v]))
+    .option('-f, --force', 'Clean builder/keycloak, builder/miso-controller, builder/dataplane and re-fetch from templates')
     .action(async(options) => {
       try {
+        if (options.force) {
+          await cleanBuilderAppDirs(['keycloak', 'miso-controller', 'dataplane']);
+        }
         await handleUpMiso(options);
         await handleUpDataplane(options);
       } catch (error) {
@@ -137,8 +142,12 @@ function setupUpMisoCommand(program) {
     .option('-r, --registry <url>', 'Override registry for all apps (e.g. myacr.azurecr.io)')
     .option('--registry-mode <mode>', 'Override registry mode (acr|external)')
     .option('-i, --image <key>=<value>', 'Override image (e.g. keycloak=myreg/k:v1, miso-controller=myreg/m:v1); can be repeated', (v, prev) => (prev || []).concat([v]))
+    .option('-f, --force', 'Clean builder/keycloak and builder/miso-controller and re-fetch from templates')
     .action(async(options) => {
       try {
+        if (options.force) {
+          await cleanBuilderAppDirs(['keycloak', 'miso-controller']);
+        }
         await handleUpMiso(options);
       } catch (error) {
         handleCommandError(error, 'up-miso');
@@ -153,8 +162,12 @@ function setupUpDataplaneCommand(program) {
     .option('-r, --registry <url>', 'Override registry for dataplane image')
     .option('--registry-mode <mode>', 'Override registry mode (acr|external)')
     .option('-i, --image <ref>', 'Override dataplane image reference (e.g. myreg/dataplane:latest)')
+    .option('-f, --force', 'Clean builder/dataplane and re-fetch from templates')
     .action(async(options) => {
       try {
+        if (options.force) {
+          await cleanBuilderAppDirs(['dataplane']);
+        }
         await handleUpDataplane(options);
       } catch (error) {
         if (isAuthenticationError(error)) {

package/lib/cli/setup-secrets.js

@@ -6,12 +6,15 @@
  * @version 2.0.0
  */
 
+const chalk = require('chalk');
 const { handleCommandError } = require('../utils/cli-utils');
 const { handleSecretsSet } = require('../commands/secrets-set');
 const { handleSecretsList } = require('../commands/secrets-list');
 const { handleSecretsRemove } = require('../commands/secrets-remove');
 const { handleSecretsValidate } = require('../commands/secrets-validate');
 const { handleSecure } = require('../commands/secure');
+const config = require('../core/config');
+const logger = require('../utils/logger');
 
 function setupSecretValidateCommand(secretCmd) {
   secretCmd
@@ -20,6 +23,7 @@ function setupSecretValidateCommand(secretCmd) {
     .option('--naming', 'Check key names against *KeyVault convention')
     .action(async(pathArg, options) => {
       try {
+        await config.ensureSecretsEncryptionKey();
         const result = await handleSecretsValidate(pathArg, options);
         if (!result.valid) process.exit(1);
       } catch (error) {
@@ -29,6 +33,25 @@ function setupSecretValidateCommand(secretCmd) {
     });
 }
 
+/**
+ * Registers the secure command on the program.
+ * @param {Command} program - Commander program instance
+ */
+function setupSecureCommand(program) {
+  program.command('secure')
+    .description('Encrypt secrets in secrets.local.yaml files for ISO 27001 compliance')
+    .option('--secrets-encryption <key>', 'Encryption key (32 bytes, hex or base64)')
+    .action(async(options) => {
+      try {
+        await config.ensureSecretsEncryptionKey();
+        await handleSecure(options);
+      } catch (error) {
+        handleCommandError(error, 'secure');
+        process.exit(1);
+      }
+    });
+}
+
 /**
  * Sets up secrets and security commands
  * @param {Command} program - Commander program instance
@@ -44,6 +67,7 @@ function setupSecretsCommands(program) {
     .option('--shared', 'List shared secrets (from config aifabrix-secrets or remote API)')
     .action(async(options) => {
       try {
+        await config.ensureSecretsEncryptionKey();
         await handleSecretsList(options);
       } catch (error) {
         handleCommandError(error, 'secret list');
@@ -57,6 +81,7 @@ function setupSecretsCommands(program) {
     .option('--shared', 'Save to general secrets file (from config.yaml aifabrix-secrets) instead of user secrets')
     .action(async(key, value, options) => {
       try {
+        await config.ensureSecretsEncryptionKey();
         await handleSecretsSet(key, value, options);
       } catch (error) {
         handleCommandError(error, 'secret set');
@@ -70,6 +95,7 @@ function setupSecretsCommands(program) {
     .option('--shared', 'Remove from shared secrets (file or remote API)')
     .action(async(key, options) => {
       try {
+        await config.ensureSecretsEncryptionKey();
         await handleSecretsRemove(key, options);
       } catch (error) {
         handleCommandError(error, 'secret remove');
@@ -77,16 +103,29 @@ function setupSecretsCommands(program) {
       }
     });
 
+  setupSecretSetSecretsFileCommand(secretCmd);
   setupSecretValidateCommand(secretCmd);
+  setupSecureCommand(program);
+}
 
-  program.command('secure')
-    .description('Encrypt secrets in secrets.local.yaml files for ISO 27001 compliance')
-    .option('--secrets-encryption <key>', 'Encryption key (32 bytes, hex or base64)')
-    .action(async(options) => {
+/**
+ * Register secret set-secrets-file command.
+ * @param {Command} secretCmd - secret command group
+ */
+function setupSecretSetSecretsFileCommand(secretCmd) {
+  secretCmd
+    .command('set-secrets-file <path>')
+    .description('Set aifabrix-secrets path in config (local file or https URL; pass empty to clear; path/URL is not checked for existence)')
+    .action(async(secretsPath) => {
       try {
-        await handleSecure(options);
+        const trimmed = (secretsPath || '').trim();
+        if (trimmed !== '' && trimmed.startsWith('http://')) {
+          throw new Error('Only https URLs are allowed for remote secrets');
+        }
+        await config.setSecretsPath(trimmed);
+        logger.log(trimmed === '' ? chalk.green('✓ Secrets file path cleared') : chalk.green(`✓ Secrets file path set to ${trimmed}`));
       } catch (error) {
-        handleCommandError(error, 'secure');
+        handleCommandError(error, 'secret set-secrets-file');
         process.exit(1);
       }
     });

package/lib/cli/setup-service-user.js

@@ -10,28 +10,37 @@
 const chalk = require('chalk');
 const logger = require('../utils/logger');
 const { handleCommandError } = require('../utils/cli-utils');
-const { runServiceUserCreate } = require('../commands/service-user');
+const {
+  runServiceUserCreate,
+  runServiceUserList,
+  runServiceUserRotateSecret,
+  runServiceUserDelete,
+  runServiceUserUpdateGroups,
+  runServiceUserUpdateRedirectUris
+} = require('../commands/service-user');
 
-/**
- * Sets up service-user commands
- * @param {Command} program - Commander program instance
- */
-function setupServiceUserCommands(program) {
-  const serviceUser = program
-    .command('service-user')
-    .description('Create and manage service users (API clients) for integrations and CI')
-    .addHelpText('after', `
+const HELP_AFTER = `
 Service users are dedicated accounts for integrations, CI pipelines, or API clients.
-The controller returns a one-time clientSecret on create—save it immediately; it cannot be retrieved again.
+Use: list (service-user:read), create (service-user:create), rotate-secret, update-groups, update-redirect-uris (service-user:update), delete (service-user:delete).
+The controller returns a one-time clientSecret on create and rotate-secret—save it immediately; it cannot be retrieved again.
 
-Example:
-  $ aifabrix service-user create -u api-client-001 -e api@example.com \\
-      --redirect-uris "https://app.example.com/callback" --group-names "AI-Fabrix-Developers"
+Examples:
+  $ aifabrix service-user create -u postman -e postman@aifabrix.dev \\
+      --redirect-uris https://oauth.pstmn.io/v1/callback --group-names AI-Fabrix-Platform-Admins
+  $ aifabrix service-user list
+  $ aifabrix service-user rotate-secret --id <uuid>
+  $ aifabrix service-user delete --id <uuid>
+  $ aifabrix service-user update-groups --id <uuid> --group-names Group1,Group2
+  $ aifabrix service-user update-redirect-uris --id <uuid> --redirect-uris https://app.example.com/callback
 
-Required: permission service-user:create on the controller. Run "aifabrix login" first.`);
+Run "aifabrix login" first.`;
+
+function parseOptionalInt(val) {
+  return (val !== undefined && val !== null) ? parseInt(val, 10) : undefined;
+}
 
-  serviceUser
-    .command('create')
+function addCreateCommand(serviceUser) {
+  serviceUser.command('create')
     .description('Create a service user and receive a one-time clientSecret (save it now; it will not be shown again)')
     .option('--controller <url>', 'Controller base URL (default: from config)')
     .option('-u, --username <username>', 'Service user username (required)')
@@ -41,15 +50,14 @@ Required: permission service-user:create on the controller. Run "aifabrix login"
     .option('-d, --description <description>', 'Description for the service user')
     .action(async(options) => {
       try {
-        const opts = {
+        await runServiceUserCreate({
           controller: options.controller,
           username: options.username,
           email: options.email,
           redirectUris: options.redirectUris,
           groupNames: options.groupNames,
           description: options.description
-        };
-        await runServiceUserCreate(opts);
+        });
       } catch (error) {
         logger.error(chalk.red(`Error: ${error.message}`));
         handleCommandError(error, 'service-user create');
@@ -58,4 +66,122 @@ Required: permission service-user:create on the controller. Run "aifabrix login"
     });
 }
 
+function addListCommand(serviceUser) {
+  serviceUser.command('list')
+    .description('List service users (supports pagination and search)')
+    .option('--controller <url>', 'Controller base URL (default: from config)')
+    .option('--page <n>', 'Page number')
+    .option('--page-size <n>', 'Items per page')
+    .option('--search <term>', 'Search term')
+    .option('--sort <field>', 'Sort field/direction')
+    .option('--filter <expr>', 'Filter expression')
+    .action(async(options) => {
+      try {
+        await runServiceUserList({
+          controller: options.controller,
+          page: parseOptionalInt(options.page),
+          pageSize: parseOptionalInt(options.pageSize),
+          search: options.search,
+          sort: options.sort,
+          filter: options.filter
+        });
+      } catch (error) {
+        logger.error(chalk.red(`Error: ${error.message}`));
+        handleCommandError(error, 'service-user list');
+        process.exit(1);
+      }
+    });
+}
+
+function addRotateSecretCommand(serviceUser) {
+  serviceUser.command('rotate-secret')
+    .description('Rotate (regenerate) secret for a service user; new secret shown once only')
+    .option('--controller <url>', 'Controller base URL (default: from config)')
+    .option('--id <uuid>', 'Service user ID (required)')
+    .action(async(options) => {
+      try {
+        await runServiceUserRotateSecret({ controller: options.controller, id: options.id });
+      } catch (error) {
+        logger.error(chalk.red(`Error: ${error.message}`));
+        handleCommandError(error, 'service-user rotate-secret');
+        process.exit(1);
+      }
+    });
+}
+
+function addDeleteCommand(serviceUser) {
+  serviceUser.command('delete')
+    .description('Delete (deactivate) a service user')
+    .option('--controller <url>', 'Controller base URL (default: from config)')
+    .option('--id <uuid>', 'Service user ID (required)')
+    .action(async(options) => {
+      try {
+        await runServiceUserDelete({ controller: options.controller, id: options.id });
+      } catch (error) {
+        logger.error(chalk.red(`Error: ${error.message}`));
+        handleCommandError(error, 'service-user delete');
+        process.exit(1);
+      }
+    });
+}
+
+function addUpdateGroupsCommand(serviceUser) {
+  serviceUser.command('update-groups')
+    .description('Update group assignments for a service user')
+    .option('--controller <url>', 'Controller base URL (default: from config)')
+    .option('--id <uuid>', 'Service user ID (required)')
+    .option('--group-names <names>', 'Comma-separated group names (required)')
+    .action(async(options) => {
+      try {
+        await runServiceUserUpdateGroups({
+          controller: options.controller,
+          id: options.id,
+          groupNames: options.groupNames
+        });
+      } catch (error) {
+        logger.error(chalk.red(`Error: ${error.message}`));
+        handleCommandError(error, 'service-user update-groups');
+        process.exit(1);
+      }
+    });
+}
+
+function addUpdateRedirectUrisCommand(serviceUser) {
+  serviceUser.command('update-redirect-uris')
+    .description('Update redirect URIs for a service user (min 1)')
+    .option('--controller <url>', 'Controller base URL (default: from config)')
+    .option('--id <uuid>', 'Service user ID (required)')
+    .option('--redirect-uris <uris>', 'Comma-separated redirect URIs (required, min 1)')
+    .action(async(options) => {
+      try {
+        await runServiceUserUpdateRedirectUris({
+          controller: options.controller,
+          id: options.id,
+          redirectUris: options.redirectUris
+        });
+      } catch (error) {
+        logger.error(chalk.red(`Error: ${error.message}`));
+        handleCommandError(error, 'service-user update-redirect-uris');
+        process.exit(1);
+      }
+    });
+}
+
+/**
+ * Sets up service-user commands
+ * @param {Command} program - Commander program instance
+ */
+function setupServiceUserCommands(program) {
+  const serviceUser = program
+    .command('service-user')
+    .description('Create and manage service users (API clients) for integrations and CI')
+    .addHelpText('after', HELP_AFTER);
+  addCreateCommand(serviceUser);
+  addListCommand(serviceUser);
+  addRotateSecretCommand(serviceUser);
+  addDeleteCommand(serviceUser);
+  addUpdateGroupsCommand(serviceUser);
+  addUpdateRedirectUrisCommand(serviceUser);
+}
+
 module.exports = { setupServiceUserCommands };